Hoek is a general-purpose Node.js utility library designed to simplify common development tasks. Examining versions 3.0.3 and 3.0.4 reveals minimal changes, suggesting a patch release focused on minor fixes or internal improvements. Both versions share the same core structure, offering a collection of functions for object manipulation, data validation, and other helpful utilities. Developers should note that both versions list no direct dependencies, implying a lightweight and self-contained library, minimizing potential conflicts with other packages in a project.
The devDependencies section consistently lists "code" and "lab", tools commonly used for testing within the Hapi.js ecosystem, signalling a commitment to code quality and stability. The license remains "BSD-3-Clause," granting considerable freedom for usage and modification. Both versions point to the same GitHub repository, assuring continuous development and community support. The primary distinction lies within the release dates; version 3.0.4 was released shortly after 3.0.3. While the exact nature of the modifications remains unspecified in the provided metadata, users upgrading from 3.0.3 to 3.0.4 would likely experience increased stability or slight improvements in performance. Developers considering Hoek for their projects can confidently utilize either version, recognizing the subtle differences in potentially enhanced code reliability in the slightly newer iteration.
All the vulnerabilities related to the version 3.0.4 of the package
hoek subject to prototype pollution via the clone function.
hoek versions prior to 8.5.1, and 9.x prior to 9.0.3 are vulnerable to prototype pollution in the clone function. If an object with the proto key is passed to clone() the key is converted to a prototype. This issue has been patched in version 9.0.3, and backported to 8.5.1.
Prototype Pollution in hoek
Versions of hoek prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.
The merge function, and the applyToDefaults and applyToDefaultsWithShallow functions which leverage merge behind the scenes, are vulnerable to a prototype pollution attack when provided an unvalidated payload created from a JSON string containing the __proto__ property.
This can be demonstrated like so:
var Hoek = require('hoek');
var malicious_payload = '{"__proto__":{"oops":"It works !"}}';
var a = {};
console.log("Before : " + a.oops);
Hoek.merge({}, JSON.parse(malicious_payload));
console.log("After : " + a.oops);
This type of attack can be used to overwrite existing properties causing a potential denial of service.
Update to version 4.2.1, 5.0.3 or later.